Data Retention and Destruction Policy.
This policy is published in accordance with KVKK Art. 7 and the Regulation on Erasure, Destruction or Anonymisation of Personal Data (Official Gazette No. 30224, 28 October 2017). It applies regardless of VERBİS registration status, including for data controllers exempted from registration.
Scope
This policy sets the retention periods for personal data processed by Opsida Teknoloji Yazılım Bilgisayar ve Danışmanlık Ltd. Şti., the methods used when those periods expire (erasure, destruction, anonymisation), the periodic destruction calendar, and the responsible parties. It applies to job candidates, customers, customer staff, supplier contacts, website visitors and other data subjects.
Retention periods by category
| Data category | Retention | Basis |
|---|---|---|
| Identity (name, title, ID number when needed) | 10 years from end of relationship | Turkish Commercial Code Art. 82, Code of Obligations Art. 146 |
| Contact (e-mail, phone, address) | 10 years from end of relationship | TCC Art. 82 |
| Customer transactions (invoice, payment, contract) | 5 years (VUK) + 10 years (TCC) | VUK Art. 253, TCC Art. 82 |
| Legal records (contract, NDA, case file) | 10 years from end of contract | Code of Obligations Art. 146 |
| Marketing (newsletter, campaign consent) | Until consent withdrawn; 6 months thereafter | KVKK Art. 5/1; Law No. 6563 Art. 6 |
| Cookie preference (analytics / marketing) | 12 months (reset if renewed) | ePrivacy 5(3); KVKK Art. 5/1 |
| Server logs (IP, user-agent, request) | 30 days (up to 1 year if security event) | KVKK Art. 5/2(f); Law No. 5651 Art. 8 |
| Job candidate CV and assessments | 2 years from position close (with consent) | KVKK Art. 5/1 |
| Employee personnel file | 10 years from termination | Labour Law Art. 75; SGK regulations |
| Security camera footage (if any) | 30 days | KVKK Art. 5/2(f) |
| Audit log (system activity) | 1 year online + 7 years archive | KVKK Art. 12; VUK Art. 253 |
Destruction methods
- Erasure — Electronic records are removed from the application database in a manner that prevents recovery. Where a hard delete is not feasible, anonymisation is preferred.
- Destruction — Physical documents (e.g. wet-ink contract copies) are shredded; magnetic media is degaussed or incinerated.
- Anonymisation — Personal data is transformed so that a data subject cannot be re-identified even when combined with other data (e.g. customer name removed, only transaction volume retained).
- All destruction events are logged (who, when, which data, which method).
Periodic destruction calendar
Data that has reached the end of its retention period is reviewed and destroyed every six months (March and September). Where there is an urgent rights claim or a data subject deletion request, the request is processed within 30 days as required by KVKK Art. 13.
Responsibility and review
The company director is responsible for the application of this policy. Destruction decisions are taken in coordination with all units that share responsibility for the relevant data. The policy is reviewed annually and updated whenever legislation or technical infrastructure changes. Version history is kept in the company's internal records.
This policy is maintained in writing so that it can be presented in an audit or a Board investigation; this obligation applies even where there is no VERBİS registration.
